I am completely new to the SAML world. My company is wanting our IT department to provide a SSO solution for a third-party application which we purchased. It supports SAML 2.0 but, according to their website: “Organizations must have SP-initiated SAML SSO implemented in their portal to utilize this functionality”, which I take to mean that they, the SP, must initiate the request and we would act as the IdP.
Assuming that’s the case, we have an SAP system that they would need to authenticate into. The problem is, although SAP can act as an IdP, it appears we don’t have the necessary software to do that and it’s looking like we’re not going to be able to procure it.
So, my question is, is it possible for us to create an IdP server with your product and C# whereby the SP can contact our IdP software and we would then attempt to authenticate to our SAP system using custom code and then prepare a response/assertion back? If so, where in your framework would we call out to SAP? Would we receive an AuthnRequest from the SP that contains the user’s Id and Password or would we need to display a form and collect that information?
Thanks in advance!
Authentication of the user by the identity provider is the responsibility of the application. We don’t place any restrictions on this. Therefore, you can write custom code to authenticate to your SAP system as part of SSO.
The flow for SP-initiated SSO is.
1. SP sends a SAML authn request to IdP.
2. IdP authenticates/logs user in.
3. IdP sends a SAML response to the SP.
4. SP automatically logs user in.
Your application calls SAMLIdentityProvider.ReceiveSSO to receive and process the SAML authn request (step #1). Once you have authenticated the user against SAP, your application calls SAMLIdentityProvider.SendSSO to create and send a SAML response (step #3).
The SAML authn request can include the user’s ID but it never includes the password. Your application would need to prompt for these as part of the authentication (step #3).
I suggest taking a look at the ExampleIdentityProvider project under the Examples\SSO\WebForms folder or the MvcExampleIdentityProvider project under the Examples\SSO\MVC folder. The ExampleIdentityProvider uses WebForms authentication and the MvcExampleIdentityProvider uses Microsoft Identity (OWIN). However, there are no restrictions on what authentication scheme you use including a completely custom scheme. These examples demonstrate calling the SAML API as well as the accompanying SAML configuration (saml.config file). The Examples Guide in the documentation folder walks through these examples.